PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49969 plank CVE debrief

CVE-2026-49969 is a server-side request forgery vulnerability in Laravel-Mediable before 7.0.0. The vulnerability allows remote attackers to issue arbitrary HTTP requests from the server by supplying unvalidated caller-controlled URLs to endpoints backed by MediaUploader::fromSource(). This can lead to unauthorized access to internal infrastructure, sensitive file retrieval, and exfiltration of cloud credentials such as IAM tokens from instance metadata services. Users should validate and sanitize input, restrict access to sensitive endpoints, and monitor for suspicious activity. The CVE record was published on 2026-07-13T19:17:09.793Z and was last modified on 2026-07-13T19:28:49.830Z. The NVD entry is currently Deferred. The vulnerability has a CVSS score of 5.3 and a severity of MEDIUM.

Vendor
plank
Product
laravel-mediable
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-13
Original CVE updated
2026-07-13
Advisory published
2026-07-13
Advisory updated
2026-07-13

Who should care

Users of Laravel-Mediable before version 7.0.0 should be aware of this vulnerability and take steps to mitigate it. This includes validating and sanitizing user input, restricting access to sensitive endpoints, and monitoring for suspicious activity.

Technical summary

The Laravel-Mediable library before version 7.0.0 contains a server-side request forgery (SSRF) vulnerability. This vulnerability allows remote attackers to issue arbitrary HTTP requests from the server by supplying unvalidated caller-controlled URLs to endpoints backed by MediaUploader::fromSource(). Attackers can craft URLs targeting RFC-1918 addresses, loopback interfaces, cloud metadata endpoints, or file:// URIs through RemoteUrlAdapter to reach internal infrastructure, retrieve sensitive files, and exfiltrate cloud credentials such as IAM tokens from instance metadata services.

Defensive priority

Medium

Recommended defensive actions

  • Validate and sanitize user input to prevent arbitrary URL requests.
  • Restrict access to sensitive endpoints and resources.
  • Monitor for suspicious activity and implement logging and alerting.
  • Implement compensating controls such as firewalls and intrusion detection systems.
  • Upgrade to Laravel-Mediable version 7.0.0 or later.

Evidence notes

The CVE record was published on 2026-07-13T19:17:09.793Z and was last modified on 2026-07-13T19:28:49.830Z. The NVD entry is currently Deferred. The vulnerability has a CVSS score of 5.3 and a severity of MEDIUM. Evidence is limited, and defenders should verify affected scope and vendor guidance with caution.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T19:17:09.793Z and has not been modified since then. The NVD entry is currently Deferred.